Nevis Networks . Persistent LAN Security and Network Access Control

Nevis Full Access Newsletter – August, 2007 – Volume 1

In this issue:

Welcome from the COO

Best Practices in Identity-based Policy Enforcement

Comparing 802.1x to the Nevis Approach

Customer Case Study: UCDSB

Welcome from Shane Buckley, Nevis COO
Welcome to the inaugural issue of Nevis Full Access, our quarterly e-newsletter. We’ve included you on our distribution list as a result of your pariticipation in an industry event, downloading other Nevis material, or expressly showing interest in Nevis. We sincerely hope you find the information included here informative and useful. We’ve recently made great progress in signing up key new customers, releasing new versions of our products, and we continue to make great strides in the market. Through this publication we hope to keep you abreast of all the Nevis news, as well as continue to provide you insightful security analysis, best practices information, and industry trends.

In this inaugural issue, we’ve included some exciting information on identity-based access control, a comparison of 802.1x with the Nevis approach to user authentication, and a customer case study highlight. Last month I also had the opportunity to participate in a roundtable discussion on the future of network access control (NAC), and where some industry luminaries see it going, which included Rob Whiteley from Forrester Research. Check it out at the top of the next column. As always, we enjoy hearing your feedback, which you can send to us at:communications@nevisnetworks.com.

Best Practices: Identity-based Policy Enforcement
Network infrastructure, and network security solutions are typically not identity-aware, since network packet headers provide information about machine addresses and location, not the user’s information. Enforcing identity-based policies with identity-blind systems has proven to be a futile endeavor, in light of increasingly complex security policies, open networks, mobile systems, and unmanaged endpoints. This dilemma facing network security administrators has become an insurmountable obstacle and cash drain, resulting in poorly designed security solutions being implemented at the wrong places in the network.

The solution is to build user identity knowledge into the network fabric, and enforce identity-based policies within the secure network. Network security policies can then be easily mapped from the definition stage into the network security architecture, with clear visibility to user activity through the enforcement, remediation and reporting phases.

802.1x: A comparison with the Nevis LAN Security Approach
This paper describes 802.1x and its role in pre-connect LAN Security. Following a brief overview of the technology, we give some pros and cons of an 802.1x deployment. We then describe a phased plan for LAN security that incorporates 802.1x as well as other user authentication alternatives that can be used in the meantime, should 802.1x not be feasible in the near term.

User authentication is necessary for identity-based access control, and 802.1x clearly promises to meet this need. 802.1x has been around for a number of years and has been proposed as the user authentication solution for both wired and wireless LANs. Formally known as the IEEE Standard for Local and metropolitan area networks – Port Based Access Control, IEEE Standard 802.1x-2004 was initially published in 2001 and later revised in 2004. Since then it has become available in virtually all shipping managed switches. Most switch products even offer the ability to configure the port VLAN based on the user identity, and some even support configuring port-based ACLs. Given its widespread availability, 802.1x would seem the obvious choice for implementing user based authentication in enterprise networks. So why isn’t everyone using it?

Upper Canada District School Board Selects Nevis to
Secure 100+ Schools“We needed a solution to reduce the risk of threats gaining access and spreading within our network — without the need to install client-based software. After evaluating other security solutions, we selected Nevis’ LANenforcer as the best solution to meet our needs.”

Jeremy Hobbs, Chief Information Officer, UCDSB

Supporting over 40,000 student, teacher, and staff users in their environment, Upper Canada District School Board (UCDSB) needed a cost-effective way to ensure appropriate access controls for their mixed user community – which spans across more than 100 schools.